Privacy & Security Notices
Provide privacy and security notices consistent with applicable CUI rules.
What an assessor scores, the objectives
AC.L2-3.1.9 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category
- b.privacy and security notices are displayed
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.9, an assessor uses these:
Privacy and security policies, procedures addressing system use notification; documented approval of system use notification messages or banners; system audit logs and records; system design documentation; user acknowledgements of notification message or banner; system security plan; system use notification messages; system configuration settings and associated documentation; other relevant documents or records
System or network administrators; personnel with information security responsibilities; personnel with responsibility for providing legal advice; system developers
Mechanisms implementing system use notification
What it means, in context
System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content.
Every system containing or providing access to CUI has legal requirements concerning user privacy and security notices. One method of addressing this requirement is the use of a system-use notification banner that displays the legal requirements of using the system . Users may be required to click to agree to the displayed requirements of using the system each time they log on to the machine. This agreement can be used in the civil and/or criminal prosecution of an attacker that violates the terms. The legal notification should meet all applicable requirements . At a minimum , the notice should inform the user that: • information system usage may be monitored or recorded, and is subject to audit; • unauthorized use of the information systems is prohibited; • unauthorized use is subject to criminal and civil penalties; • use of the information system affirms consent to monitoring and recording; • the information system contains CUI with specific requirements imposed by the Department of Defense; and • use of the information system may be subject to other specified requirements associated with certain types of CUI such as Export Controlled information. Example You are setting up IT equipment including a database server that will contain CUI. You have worked with legal counsel to draft a notification. It contains both general and specific CUI security and privacy requirements [a]. The system displays the required security and privacy information before anyone logs on to your organization’s computers that contain or provide access to CUI [b]. Potential Assessment Considerations • Are objectives identified for privacy and security notices, and do es the implementation satisfy the required objectives [a,b]? Discrepancies may indicate a deficient process and/or an incomplete objective for the overall requirement. • Are there any special requirements associated with the specific CUI category [a]? • Are appropriate notices displayed in areas where paper -based CUI is stored and processed [b]?
What passing evidence looks like
A photo or screenshot of the actual notice a user sees at sign in, with wording that matches your published policy.
Common ways contractors fail AC.L2-3.1.9
- !The banner text should reference monitoring and authorized use consistent with CUI handling. A generic welcome message does not satisfy the objective.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove AC.L2-3.1.9, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
AC.L2-3.1.9 questions, answered
How many points is CMMC requirement AC.L2-3.1.9 worth?+
AC.L2-3.1.9 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can AC.L2-3.1.9 be placed on a POA&M?+
Yes. A gap on AC.L2-3.1.9 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.
What family does AC.L2-3.1.9 belong to?+
AC.L2-3.1.9 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.1.9